In a typical conventional two-factor authentication system, a user is equipped with an authentication token. The authentication token may be implemented as a small, hand-held device that displays a series of passwords over time. These passwords, which may be one-time passwords, are more generally referred to herein as tokencodes. A user equipped with such an authentication token reads the currently displayed password and enters it into a computer or other element of an authentication system as part of an authentication operation. The user is also generally required to enter a personal identification number (PIN). Two-factor authentication is thus based on something the user has (e.g., the authentication token) and something the user knows (e.g., the PIN).
Three-factor authentication systems are also available, where the third factor required for successful authentication relates to a physical characteristic of the user, or in other words, something the user is (e.g., a fingerprint).
Authentication tokens include both time-based tokens and event-based tokens. In a typical time-based token, the displayed passwords are based on a secret value and the time of day. A verifier with access to the secret value and a time of day clock can verify that a given presented password is valid. One particular example of a time-based authentication token is the RSA SecurID user authentication token, commercially available from RSA, The Security Division of EMC Corporation, of Bedford, Mass., U.S.A. In a typical event-based token, the displayed passwords are based on a secret value and an event counter. The event counter may count the number of occurrences of a particular event, such as a user pressing a button on the token. A verifier with access to the secret value and the current event count can verify that a given presented password is valid.
Passwords can be communicated directly from an authentication token to a computer or other element of an authentication system, instead of being displayed to the user. For example, a wired connection such as a universal serial bus (USB) interface may be used for this purpose. Wireless authentication tokens are also known. In such tokens, the passwords are wirelessly communicated to a computer or other element of an authentication system. These wired or wireless arrangements save the user the trouble of reading the password from the display and manually entering it into the computer.
Additional details of exemplary conventional authentication tokens can be found in, for example, U.S. Pat. No. 4,720,860, entitled “Method and Apparatus for Positively Identifying an Individual,” U.S. Pat. No. 5,168,520, entitled “Method and Apparatus for Personal Identification,” and U.S. Pat. No. 5,361,062, entitled “Personal Security System,” all of which are incorporated by reference herein.
A problem that can arise for users equipped with authentication tokens is that such users may want to authenticate to a given system without having possession of an operative token. For example, the user may have temporarily misplaced the token, forgotten to bring it home from the office or vice-versa, left it in the car, etc. Also, the token may break, or its battery may become depleted, etc. However, conventional authentication systems, such as the two-factor and three-factor systems noted above, generally require that the user be in physical possession of an operative token in order to authenticate.
A similar problem can arise when the user losses, misplaces or forgets another credential, such as, the something the user is meant to know. For example, the PIN discussed above.